Allowing app to be used in iFrames for custom domains

Allowing iFrames for custom domains

I am using the Classic universal login for a web app, and need to allow the app to be embedded in an iFrame for a certain client domain. This can normally be set with the CSP: frame-ancestors setting, but does not seem possible with Auth0. I am aware that this can be enabled for everyone by disabling click-jacking protection, but this would be a security risk for my app. I need it for just specified domains.

This has been asked previously here (New Universal Login Support for IFrames (Office Addin Authentication)) but I believe a comment was incorrectly marked as a solution.

Are there any plans for enabling this feature in future? I believe it would be helpful for other users.


Hey there @roshni1 !

Thank you for creating this feedback card. Make sure to upvote it so it can attract other community members attention. Once we have some communication to reveal on that front we’ll let you know here

1 Like

I have a similar use case; a client wants to embed our web app in SuperOffice via a web panel (i.e. an iframe). We want to allow this for their domain, but by default disallow it to avoid the clickjacking vulnerability. Is this possible? If not, are you planning on making this possible in the future? Are there any workarounds without disabling clickjacking protection?


Hi everyone,

My company just created a new tenant to split environments. But the chosen solution is the New Universal Login experience.
I have an app that I want to access from another app, and we served it in an iFrame allowing the embedded app to auto-login using the same tenant as the ancestor app.
I can’t anymore.

The solution where it would be possible to customise the CSP would be perfect, setting only our company domains as allowed ancestors. :pray: